What it does
Data102 operates a platform for detecting and mitigating DDoS attacks on IP blocks transiting Data102's network. In the case that a client IP address is attacked by a D/DoS, our platform automatically detects it and blackholes / null-routes all traffic coming in to that IP address. At the same time, the platform advises our upstream carriers to do the same, such that the offending traffic is dropped at our upstream provider's edges. Although this does cause a loss of service to the target IP address, it is the current best practice for defending the rest of the network.
How it works
The DDoS RTBH service is comprised of three major pieces that identify attacks, ban/defend, and unban IP addresses respectively.
- Netflow telemetry is gathered from all applicable resources to a netflow collector.
- Twice per minute, the netflow telemetry is inspected to look for threshold violations.
Treshold violations are any of the following:
- A single IP address receives twice as much bandwidth as it did in the previous minute, sustains it for 2 minutes, and exceeds 100mbps
- A single IP address receives more than 95,000 packets per second for more than one minute.
- Identified attacks are logged, and the IP address owner notified, if requested/configured.
- The platform connects to Data102's core routers and null routes the afflicted IP address.
- Data102's network flags the offending IP address with the BGP Community to drop all traffic to that IP
- All of Data102's network devices begin dropping traffic headed towards the IP (~30 seconds)
- Data102's upstreams are notified via custom BGP configurations to drop all traffic to the IP.
- All upstreams begin dropping traffic to the IP at their edges. (~1 minute)
RTBH UnBan/Re-instation of service
- On every run of the Attack Identification process (2 times per minute), existing bans are evaluated.
- If the ban has expired -- current expiry timer is 5 minutes -- then the unbanner processes the IP.
- Data102's network removes the null-route, and local traffic begins flowing immediately.
- Upstream networks are notified of the removal, and general Internet traffic begins flowing within 1 minute.
Whitelisting, Ban Logging & Notification
Data102 is able to whitelist IP addresses such that they are never banned. This is useful for infrastructure IP ranges that are targets for attack, as well as for single-IP endpoints that consume large amounts of bandwidth. To request IP whitelisting, please contact the Data102 support team.
By default, Data102 does not notify customers of banning of IP addresses, as the platform is completely automated. Customers that are interested in DDoS defense notifications can be configured as such, but are done on a case by case basis. To request notification when a ban happens on your IP space, please contact the Data102 support team.
Bans are logged and pruned after a period of time here: http://netflow.data102.com/antiddos.txt